We have a server with a static IP, let's say x.x.2.5. We have several WinXP (but not all) that will occasionally resolve the hostname to x.x.1.59 (x.x.1.x is the local subnet).

The DHCP range in the router is set to x.x.50-199 and the router has issued a lease for 1.59.

It is theoretically possible that some host with the same hostname is out there. It responds to ping but does not appear to have registered itself with our Windows DNS servers (no entry for 1.59), so I don't think that this is the case.

DNS for the 2.5 server is static and it only appears one time (no other entries for this server appear).

On the affected PC, if I do:

ping THEHOST

I get 1.59

if I do

nslookup THEHOST

I get 2.5

So it appears the local cache is somewhat fubar. If I restart the XP machine, it picks up the correct IP address and all is well. Failure is intermittent and not reproducible after reboot.

Our local Windows admin is stumped and so am I (but I'm not a Windows admin, so that is not surprising). Any way to track down this crazy IP? When it happens again, what should I check?

2 Answers
2

When Windows XP attempts to resolve NETBIOS names which is what you are using if you don't give a full DNS name with suffix it goes through the following resources in this order

NetBIOS name cache

WINS server

B-node broadcast

LMHosts File

Host file

DNS server

Using nslookup skips right to number 6, which is probably why you don't see the problem when you use nslookup. Cache poisoning and a rogue WINS server seem unlikely, and if the problem is not reproducible on reboot then it is not a HOST or LMHOST file problem. That leaves b-node broadcast as the most likely source of the problem. I would guess that you have a machine on the same network segment as the affected hosts that has the NetBIOS name THEHOST. One way to tell if it is a netBIOS problem is by pinging THEHOST.DOMAIN and seeing if that makes the problem go away, if so definitely NetBIOS, if not, then you've got a DNS problem.

The reason is that nslookup ALWAYS uses the default DNS server for its resolution, but Ping goes through the normal Windows method, which checks the hosts file before it checks the DNS, and this may be getting cached.

The other avenue is to do an ipconfig /flushdns and see if it resolves correctly after that.